HPE Community
Operating System - HP-UX
1834022 Members
2308 Online
110063 Solutions
New Discussion

Re: Controling users

 
SOLVED
Go to solution
Leonid Mishkind
Frequent Advisor

‎10-23-2006 06:32 PM

‎10-23-2006 06:32 PM

Controling users

Hello to all!

I want to define a user that can not do rlogin/telnet/remsh/ssh to a server, but that I can "su" to it from any defined server.
Does anyone knows how to do this?

thank you.
0 Kudos
Reply
9 REPLIES 9
Peter Godron
Honored Contributor

‎10-23-2006 06:51 PM

‎10-23-2006 06:51 PM

Re: Controling users

Hi,
not sure I understand. Your user is not allowed to connect to the machine, but the command su requires root password access ??
In order to use su you have to have a session, so you have to have logged on.
Please clarify.
0 Kudos
Reply
Leonid Mishkind
Frequent Advisor

‎10-23-2006 06:58 PM

‎10-23-2006 06:58 PM

Re: Controling users

No . what I mean is that I have A user that I login with it to a server lets call it "leonid" from user "leonid" I want to do a su to user "oracle" ( lets say I know the password ) . I want to make sure that no one does rlogin or telnet with user "oracle" only "su" to that user.

Is this better?
0 Kudos
Reply
Peter Godron
Honored Contributor

‎10-23-2006 07:33 PM

‎10-23-2006 07:33 PM

Re: Controling users

Hi,
could you please try:
Include in /etc/profile
if [ $LOGNAME = oracle -a $0 != "-su" ]
then
echo "Error: oracle logins only via su"
exit
fi
Then try and log in as oracle (should fail).
Log on as "leonid" and su to oracle.
You can also play with /etc/default/security, setting SU_ROOT_GROUP
But best security is not to allow the oracle password to be known.
0 Kudos
Reply
Peter Godron
Honored Contributor

‎10-23-2006 07:48 PM

‎10-23-2006 07:48 PM

Re: Controling users

Hi,
also found some similar requests:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1048593
and to restrict access to su:
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=992121

If you found my replies helpful, please see:
http://forums1.itrc.hp.com/service/forums/helptips.do?#22 . Your profile shows you have only allocated points to 1 answer out of 9.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎10-23-2006 07:48 PM

‎10-23-2006 07:48 PM

Re: Controling users

Shalom,

A user must be logged in to su.

If you disable rlogin/telnet/remsh/ssh then the user can not log in and therefore can not su.

You can chroot the user and limit his/her access prior to the su.

I think your need to look at the larger picture concerning security here and set a reasonable goal, which is not apparent from your post.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
FERRARI MARCO
Advisor

‎10-24-2006 03:08 AM

‎10-24-2006 03:08 AM

Re: Controling users

I think we accomplished what you look for by:

1. disabling password-in-clear protocols ( rsh, telnet, ftp )

2. using the AllowGroups directive in sshd_config allowing definite groups to ssh to the system ( appl_users, system_admins, system_operators ); in those groups individual accounts are created and maintained, with use of the Trusted System features - like excluding them after 5 failed login tries

3. letting users su to oracle, appl-admin, root or other administrative accounts : that way, 2 passwords are needed for every administrative login

Regards,
Marco
0 Kudos
Reply
Leonid Mishkind
Frequent Advisor

‎10-24-2006 07:14 PM

‎10-24-2006 07:14 PM

Re: Controling users

Thanks to everyone fro the answers , unfortunately none of your answers suplied a solution for me:
Peter Gordon - I checked the solution through the /etc/profile but the param. $0 always contains "-sh" or "-ksh" no metter the way I loged in .

Unfortunately my system is not that secure and the login protocols are been used by user so I cant disable any of them.

I guess my main problem is that I am looking for a temporary and a qucik for implementation solution.

Thanks to all.
0 Kudos
Reply
FERRARI MARCO
Advisor

‎10-24-2006 08:55 PM

‎10-24-2006 08:55 PM

Solution

Re: Controling users

If you don't want to be secure try this:
1. copy ksh or sh to $DIR/become_oracle
2. make it a SUID program owned by oracle_admin
3. put an arbitrary string as oracle user password
4. users do: $DIR/become_oracle

This is horrible security-wise but should work.

Let me know, I don't think I tried it recently.

You make me a hacker, my friend,
Marco
Reply
Leonid Mishkind
Frequent Advisor

‎10-25-2006 08:40 PM

‎10-25-2006 08:40 PM

Re: Controling users

following your advise I tried something like this.

leonid@server> cat become_oracle
su - oracle
leonid@server> ls -l become_oracle
-rwsr-xr-x 1 root sys 43 Oct 26 09:36 become_oracle

But ... when I execute the file with user leonid , I still get prompted for password.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.